10 WordPress Security Tips To Keep Your Website Safe
As one of the most popular Content Management Systems (CMS) in the world, WordPress is no stranger to cyberattacks. So if you use WordPress and don’t take the proper precautions, you may be putting yourself and your customers at risk.
10 Ways To Improve Your WordPress Security
- Choose a secure web host
- Utilize HTTPS and SSL certificates
- Use strong usernames and passwords
- Install WordPress security plugins
- Set up two-factor authentication
- Secure your WordPress admin area
- Update your WordPress, plugins, and themes regularly
- Switch to the latest PHP version
- Disable hotlinking
- Back up your site
For those who don’t know, cyberattacks can expose your customers’ personal information, and cause significant financial loss due to downtime or lost revenue from ad impressions that were never delivered. Worst of all, it can also damage your reputation as someone who can be trusted with sensitive customer data.
After all, would customers trust a business that has put their personal data at risk?
To avoid this (as well as a lot of other security-related headaches), we’ve put together 10 tips on how to strengthen your WordPress security. If you want to learn more about bolstering your online defenses against would-be attackers, read on!
10 Ways to Improve Your WordPress Security
With so many online threats, you might be thinking: where do you start? Should you switch web hosts? Should you invest in expensive anti-malware measures?
If you’re struggling with where to take the first step toward protecting your WordPress site, here are 10 quick and easy tips to help secure your site:
1. Choose A Secure Web Host
Your web host serves as the foundation for your WordPress site: Build it on uneven ground, and the whole thing may come crumbling down at the slightest push. Anchor it upon solid ground, however, and it will weather the strongest storms.
When choosing a host for your WordPress site, it’s therefore important to find one that offers a sizable suite of security features. These could include things like DDoS protection, SSL protection, built-in malware scanners, and automatic backups.
Consider the security measures that the web host offers first before thinking about any other features. Having a higher bandwidth capacity or a 99.9% uptime guarantee means nothing if your visitors are constantly exposed to malware and data breaches.
Though if you’re overwhelmed by the sheer number of options out there, don’t worry! We’ve tested more than 45 of them, and made a comprehensive list of this year’s best web hosts.
2. Utilize HTTPS And SSL Certificates
Once you’ve signed up with a secure web host, you should ensure that it uses HTTPS (Hypertext Transfer Protocol Secure). To do this, you need to get an SSL certificate.
Secure Sockets Layer (SSL) is essentially the protocol that encrypts any sensitive data that is sent through an internet connection, preventing any attackers from seeing or modifying that data.
An SSL certificate is a digital file that you install onto your website that tells browsers that they can trust your website and that any information sent or received will be encrypted via SSL.
Fortunately, most web hosting services (such as the ones in the article that we linked in the previous section) offer an SSL certificate as part of their security features.
These two protocols (HTTPS and SSL) work in tandem so that the data that goes through your site is kept safe from any attackers. They also help with SEO, allowing your site to climb the search engine rankings.
3. Use Strong Usernames And Passwords
Using strong usernames and passwords is another simple trick that you can do to make your WordPress site more secure.
Although this tip may seem like a no-brainer, you’d be surprised at the number of people who use “password” or “123456” as their password. As a matter of fact, a 2022 report from NordPass stated that a staggering 4,929,113 people used the former as their password, and 1,523,537 users used the latter.
To keep your accounts as secure as possible, you should aim to use a different password for each account.
But with so many accounts and just as many passwords, how are you supposed to remember all of them? Is it time to buy Post-it Notes and just write all of your passwords down on them?
Luckily, password managers can make this issue a thing of the past: Just download and install one, and it’ll generate and store your passwords for you, ensuring that you’ll never have to worry about making yet another alphanumeric spelling of your pet’s name to use as your password ever again.
If you’re searching for a safe and reliable password manager, fear not: Here’s our article on 2023’s best password managers.
Similarly, you should never use the default WordPress “admin” username. Luckily, this is a very easy issue to resolve:
Click on “Users” in the WordPress dashboard, and then on “Add New.” Then, assign the “Administrator” role to this account.
You can then delete the old “admin” account. Make sure that you choose the “Attribute all content to:” option, selecting your newly created account before clicking on “Confirm Deletion.” This changes all of the “admin” accounts’ posts to be authored by your chosen account.
4. Install WordPress Security Plugins
Once you’ve set up your new WordPress account and its highly secure password, you can now install plugins to increase your site’s security.
Plugins are handy little pieces of software that fulfill a variety of functions. There are more than 60,000 plugins on WordPress.org; however, for the purposes of this article, we’ll be focusing on three of the best security plugins that we’ve found.
4.1. Jetpack
Jetpack has a highly customizable paid version that lets you mix and match plugins based on your site’s security needs. On the other hand, its free version has the following features:
- Protects against spam, malware, and brute-force logins
- Provides a simple activity log and site stat reporting
- Auto updates individual plugins
4.2. Wordfence
Alternatively, Wordfence Security offers the following features as part of its free version:
- A web application firewall (WAF) that blocks malicious traffic
- Malware scanning
- Live traffic and analytics monitoring
4.3. All-in-One Security (AIOS)
With its robust feature list, All-in-One Security (AIOS) is another formidable security plugin, boasting the following as part of its free version:
- A smart algorithm that automatically detects if an account has the default “admin” username or if a user has identical login and display names, prompting them to change these names
- A password strength tool that tells you how long it would take to crack your password during a brute-force attack
- A firewall that automatically protects against the latest threats
If none of these three tickle your fancy (or if you’re looking to bolster your site’s security even further), check out our article on the best security plugins for WordPress.
5. Set Up Two-factor Authentication
Two-factor authentication is one more security measure that you can add on top of your password to increase your admin account’s security.
2FA requires you to use another device (e.g., a smartphone) to confirm a login or enter a code, ensuring that a would-be hacker would need to get a hold of your phone first before being able to break into your account.
You can simply install a plugin, such as miniOrange’s Google Authenticator, to enable 2FA for your WordPress login. You can then configure this plugin and install a separate authenticator app on your phone, adding yet another layer of protection against any attackers.
6. Secure Your WordPress Admin Area
One additional security feature that’s pretty easy to set up involves securing your admin area and login page. The default URL for your WordPress site’s login is [domain.com]/wp-admin.
Any hacker worth their salt would know this, and you should change the URL to something else, denying any bots or hackers from accessing this URL. WPS Hide Login is a free plugin that lets you change your login URL into anything you want.
To set up your new login URL, simply install this plugin, go to “Settings” on your dashboard, navigate to “WPS Hide Login,” and change the URL.
7. Update Your WordPress, Plugins, And Themes Regularly
Now that you’ve installed some plugins to beef up your site’s security, you should ensure that these plugins as well as any themes and WordPress itself are up-to-date. Outdated software can put your site at risk, as attackers routinely exploit vulnerabilities that are otherwise patched out in updates.
Luckily, WordPress lets you set up automatic updates for all of these components, ensuring that you’ll never have an outdated, vulnerable website. To learn how to set up automatic updates, check out this guide!
8. Switch To The Latest PHP Version
PHP is a scripting language that acts as the building blocks that you use to build your WordPress site. Currently, PHP is up to version 8.2, and these versions are usually supported (vulnerabilities and bugs are patched out regularly) for around 2 years.
However, WordPress’s stats page shows that an alarming 54.5% of its users use version 7.4, which, according to the PHP website itself, is “a release that is no longer supported,” further stating that “users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities.”
Like your plugins and themes, you should always strive to keep your PHP version updated. To do this, you can simply go into cPanel, click “PHP Select,” and choose the latest version of PHP.
9. Disable Hotlinking
Hotlinking occurs when somebody takes an image’s URL from one website and then uses it on their own. The image is shown on that person’s website, but the bandwidth is used from the other.
This is essentially theft, as the other site pays for nothing, while you’re left to pay the bills from your image suddenly being accessed by the audience of that other site.
To check if your site has been hotlinked, type the following into Google Images, replacing domain.com with your domain name:
inurl:domain.com -site:domain.com
To disable this costly (and annoying) practice on WordPress, you can use an FTP client, a CDN, or a WordPress security plugin, such as AIOS, which we’ve already linked above.
10. Back Up Your Site
You should always have a backup of your site ready when all else fails. Backups essentially act as a time-travel machine that lets your site go back to when the backup was created, reverting all of the changes that were done since that point in time, regardless if they were done by you or a hacker.
Given this, you should back up your site regularly, ensuring that you lose as little of your work as possible. Whether you’re updating your WordPress software or testing out some new code, always remember to back up your site.
To make the backup process as painless as possible, check out our guide on the easiest ways to back up (or migrate) your WordPress site.
Why Do You Need to Secure Your WordPress Website?
Your WordPress site — whether it’s a small blog that you update every month or so or a major e-commerce platform — is an investment. It has cost you time and money to build, and protecting this investment is paramount.
Regardless of how secure you may think it is, if someone breaks into your site, they could steal information about your customers or employees, post spammy ads (or links to malware) on your front page, send out phishing emails to your site contacts, bring down your entire site… the list goes on! And all these things can hurt not only your sales but also your reputation.
As such, having good security practices in place to defend against hackers and malware is essential for any WordPress site owner, which we’ll be talking about in the next section.
A Good Website is a Secure Website!
Now that you’ve learned our top 10 tips to improve your site’s security, it’s time to put them into action. Remember to always be vigilant, and stay updated on the latest security trends and threats!